Black Friday Sale! Save huge on InvestingProGet up to 60% off

Russian hackers lured embassy workers in Ukraine with ad for a cheap BMW

Published 07/12/2023, 01:04 AM
Updated 07/12/2023, 04:26 PM
© Reuters. The fake used car advert created by hackers suspected of working for Russia's foreign intelligence agency in a bid to break into the computers of dozens of diplomats at embassies in Ukraine, is pictured in this undated handout picture.   Unit 42/Handout v
PANW
-

By James Pearson

LONDON (Reuters) -Hackers suspected of working for Russia's foreign intelligence agency targeted dozens of diplomats at embassies in Ukraine with a fake used car advert in a bid to break into their computers, according to a cybersecurity firm report published on Wednesday.

The wide-reaching espionage activity targeted diplomats working in at least 22 of the roughly 80 foreign missions in Ukraine's capital, Kyiv, analysts at Palo Alto Networks (NASDAQ:PANW)' Unit 42 research division said in the report.

"The campaign began with an innocuous and legitimate event," said the report, which was first reported by Reuters.

"In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed a legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located in Kyiv".

The Polish diplomat, who declined to be identified citing security concerns, confirmed the role of his advertisement in the digital intrusion.

The hackers, known as APT29 or "Cozy Bear", intercepted and copied that flyer, embedded it with malicious software, then sent it to dozens of other foreign diplomats working in Kyiv, Unit 42 said.

"This is staggering in scope for what generally are narrowly scoped and clandestine advanced persistent threat (APT) operations," said the report, using an acronym often used to describe state-backed cyberespionage groups.

In 2021, U.S. and British intelligence agencies identified APT29 as an arm of Russia's foreign Intelligence Service, the SVR. The SVR did not respond to a request from Reuters for comment about the hacking campaign.

In April, Polish counterintelligence and cybersecurity authorities warned that the same group had conducted a "widespread intelligence campaign" against NATO member states, the European Union, and Africa.

Researchers at Unit 42 were able to tie the fake car advert back to the SVR because the hackers re-used certain tools and techniques which have previously been connected to the spy agency.

"Diplomatic missions will always be a high-value espionage target," the Unit 42 report said. "Sixteen months into the Russian invasion of Ukraine, intelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian government".

USED BMW

The Polish diplomat said he had sent the original advert to various embassies in Kyiv, and that someone had called him back because the price looked "attractive".

"When I checked, I realised they were talking about a slightly lower price," the diplomat told Reuters.

SVR hackers, it turns out, had listed the diplomat's BMW for a lower price - 7,500 euros - in their fake version of the advert, in an attempt to encourage more people to download malicious software that would give them remote access to their devices, Reuters found.

That software, Unit 42 said, was disguised as an album of photographs of the used BMW. Attempts to open those photographs would have infected the target's machine, the report said.

Twenty-one of the 22 embassies targeted by the hackers and subsequently contacted by Reuters did not provide comment. It was not clear which embassies, if any, had been compromised.

A U.S. State Department spokesperson said they were "aware of the activity and based on the Directorate of Cyber and Technology Security's analysis found it did not affect Department systems or accounts."

© Reuters. The fake used car advert created by hackers suspected of working for Russia's foreign intelligence agency in a bid to break into the computers of dozens of diplomats at embassies in Ukraine, is pictured in this undated handout picture.   Unit 42/Handout via REUTERS

As for the car, it was still available, the Polish diplomat told Reuters:

"I'll try to sell it in Poland, probably," he said. "After this situation, I don't want to have any more problems".

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.